The Cloud Firewall is a feature of the Joyent Cloud that centralizes control of network traffic filtering rules across SmartOS instances.
Cloud Firewall maintains a list of rules that apply to all of the SmartOS instances in a data center that have the Cloud Firewall feature enabled. Rules can apply to:
Tags are one of the most common ways to apply Cloud Firewall rules to a pool of instances. Tags are user-defined name/value pairs attached to an instance. You can use tags identify groups of instances. For example, all of you web servers might have the tag
role=Web, and all of your databases might have the tag
role=database. Tags do not have to have values. You can simply tag instances with a name. Instead of using the
role tag, you might just want to use the
Web tag without a value to identify your web servers. You can learn more about tags here.
The Cloud Firewall Rules feature is enabled or disabled on an per-instance basis. A newly created instance has it disabled by default.
(This Cloud Firewall feature currently does not work with KVM instances, meaning that Linux, Windows, and other OSes should be protected by enabling and using local firewall software like iptables or Windows Firewall.)
When FIRST using Cloud Firewall rules:
In this example, you will set up rules that allow SSH, HTTP, and HTTPS access.
Verify or set the first part of the form as below:
In the Protocol column, choose TCP and set Port to 22. This is the SSH port.
In the From column, choose Any. This means that you'll accept traffic from any machine on the Internet (on port 22).
In the To column, choose All my VMs in DC. This means that the traffic on port 22 from anywhere on the Internet can go to any of the SmartOS instances in the data center you selected.
Click the Add, Add From, and Add To buttons under each column to set the rule.
Click Create Rule, and the rule to allow SSH traffic from anywhere in the Internet will appear in the list.
Now you need to create the rules to allow HTTP and HTTPS traffic. You do this the same way. Click Add New Rule. Set the Action, State, and Data Center values as before. For the HTTP rule, use:
This time, in the To column, choose Tag. A new field, Tag Name will appear. Set this to
Role. Another field, Value will appear below it. Set this field to
Click Create Rule, and the rule to allow HTTP traffic from anywhere in the Internet to any SmartOS instance with the tag
Role=Web will appear in the list.
Finally, create the rule for HTTPS traffic. Click Add New Rule. Set the Action, State, and Data Center values as before. For the HTTP rule, use:
In the To column, choose Tag. Set Tag Name to
Role. Set Value to
Click Create Rule, and the rule to allow HTTPS traffic from anywhere in the Internet to any SmartOS instance with the tag
Role=Web will appear in the list.
You now have three rules ready to be enforced.
If you have existing SmartOS instances that do not have the Cloud Firewall feature enabled, they will appear in the list below. Click one that you would like to apply these rules (in the same data center that you defined the rules in). If you don't have any SmartOS instances, click Create Instance (it's in the upper right) and create a SmartOS instance with a
base image. Wait for it to provision and proceed below.
In the Instance Detail page, scroll down to the Tags section.
Click Add New Tag. Set the name to
Role and the value to
Web, and click Save.
Scroll down further to the Cloud Firewall section.
The two default rules are already there. Click Enable to turn on the feature. Refresh the page, and you should see a total of four rules. (The ICMP rule is a system rule that cannot be deleted.)
If you were to run a port scan against the external interface against that machine you will see those ports open, but everything else is closed.
This concludes this tutorial. Stay safer out there with Cloud Firewall Rules.
You can learn more about working with Cloud Firewall Rules here. In addition to the web interface described in this tutorial, you can use CloudAPI command line interface. The syntax for writing Cloud Firewall rules is in the Cloud Firewall Rules Reference.